Quantum key distribution device, quantum key distribution system, and quantum key distribution method

ABSTRACT

According to an embodiment, a quantum key distribution device includes a key sharing unit, a correcting unit, a compressor, and a controller. The key sharing unit is configured to generate a shared bit string by using quantum key distribution performed with another quantum key distribution device via a quantum communication channel. The correcting unit is configured to generate a corrected bit string through an error correction process with respect to the shared bit string. The compressor is configured to generate an encryption key through a key compression process with respect to the corrected bit string. The controller is configured to perform a restraining operation in which the total number of bits of encryption keys generated per unit time by the compressor is smaller than the total number of bits of the encryption keys generated per unit time by the compressor in the case of not performing the restraining operation.

CROSS-REFERENCE TO RELATED APPLICATION

This application is based upon and claims the benefit of priority fromJapanese Patent Application No. 2014-027682, filed on Feb. 17, 2014; theentire contents of which are incorporated herein by reference.

FIELD

Embodiments described herein relate generally to a quantum keydistribution device, a quantum key distribution system, and a quantumkey distribution method.

BACKGROUND

A quantum key distribution system is configured with a transmitter, areceiver, and an optical fiber that connects the transmitter and thereceiver. The transmitter transmits photons to the receiver via theoptical fiber (a quantum communication channel). After that, thetransmitter and the receiver exchange control information with eachother, and share encryption keys in a confidential fashion. Thistechnology is implemented using the technology generally referred to asquantum key distribution (QKD).

In quantum key distribution, the behavior of the photons follows theuncertainty principle, which is the fundamental principle of quantummechanics that tapping leads to changes in the state. Because of such aproperty, when photons transmitted by a transmitter are tapped by aneavesdropper in a quantum communication channel, the state of thephotons undergoes a change and the receiver that receives the photonsbecomes able to get to know that the photons have been tapped by aneavesdropper.

The encryption keys generated in a quantum key distribution system areused by various applications that perform cryptographic communication.Usually, if many encryption keys are generated, then there is aproportional increase in the encryption strength and communicable timeof the cryptographic communication. Hence, it is desired that encryptionkeys having a large size be generated in large numbers with a highfrequency.

Meanwhile, it is necessary that the transmission of photons in quantumkey distribution is performed while ensuring synchronization between thetransmitter and the receiver. Hence, if the operations are temporarilystopped, then the temporal cost of restarting the operations is high.Therefore, it is not desirable to stop the transmission of photonsduring quantum key distribution. However, if generation of encryptionkeys is carried on in concert with the transmission of photons, then itmay lead to an increase in the processing load of the transmitter andthe receiver that generate the encryption keys, or it may lead tounnecessary generation of the encryption keys, or it may place burden onthe amount of available space in the storage used in storing theencryption keys.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a configuration example of a quantumkey distribution system;

FIG. 2 is a diagram illustrating a configuration example of a quantumkey distribution network;

FIG. 3 is a diagram illustrating an exemplary block configuration of aQKD transmitter and a QKD receiver;

FIG. 4 is a sequence diagram illustrating an example of the operationsperformed by the QKD transmitter and the QKD receiver;

FIG. 5 is a diagram for explaining a key compression process;

FIG. 6 is a diagram for explaining an operation of adjusting assignmentof encryption key generation;

FIG. 7 is a diagram illustrating an exemplary block configuration of aQKD transmitter and a QKD receiver;

FIG. 8 is a diagram illustrating a binary entropy function; and

FIG. 9 is a hardware configuration diagram of a QKD device.

DETAILED DESCRIPTION

According to an embodiment, a quantum key distribution device isconnected to another quantum key distribution device via a quantumcommunication channel and generates and shares an identical encryptionkey with the another quantum key distribution device. The quantum keydistribution device includes a quantum key sharing unit, a correctingunit, a compressor, and a controller. The quantum key sharing unit isconfigured to generate a shared bit string by using quantum keydistribution performed with the another quantum key distribution devicevia the quantum communication channel. The correcting unit is configuredto receive the shared bit string from the quantum key sharing unit andgenerate a corrected bit string through an error correction process withrespect to the shared bit string. The compressor is configured toreceive the corrected bit string from the correcting unit and generatean encryption key through a key compression process with respect to thecorrected bit string. The controller is configured to perform arestraining operation in which the total number of bits of one or moreencryption keys generated per unit time by the compressor is smallerthan the total number of bits of the one or more encryption keysgenerated per unit time by the compressor in the case of not performingthe restraining operation.

Exemplary embodiments of a quantum key distribution device, a quantumkey distribution system, and a quantum key distribution method accordingto the invention are described below in detail with reference to theaccompanying drawings. In the accompanying drawings, the sameconstituent elements are referred to by the same reference numerals.However, the drawings are only schematic in nature, and the specificconfiguration should be determined by taking into account theexplanation given below.

First Embodiment

FIG. 1 is a diagram illustrating a configuration example of a quantumkey distribution system. Thus, the explanation of a quantum keydistribution system 100 is explained with reference to FIG. 1.

As illustrated in FIG. 1, the quantum key distribution system 100includes a QKD transmitter 1, a QKD receiver 2, and an optical fibercable 3. The following explanation is mainly given for the quantum keydistribution system 100 that includes a single QKD transmitter 1 and asingle QKD receiver 2. However, alternatively, the quantum keydistribution system 100 can also be, what is called, a quantum accessnetwork (see FIG. 6 referenced later) in which a single QKD receiver 2has a plurality of QKD transmitters 1 connected thereto via an opticalinstrument. Still alternatively, the quantum key distribution system 100can also be a quantum key distribution system in which the QKD receiver2 has a plurality of interfaces for optical fiber communication and isconnected to a plurality of QKD transmitters 1 via the interfaces. Inthis case, the roles can be reversed, and the QKD transmitter 1 can beconnected to a plurality of QKD receivers 2.

Herein, for example, the QKD transmitter 1 transmits, to the QKDreceiver 2 via the optical fiber cable 3, a bit string (hereinafter,referred to as a “photon bit string”) that is made of single photonswhich are generated using random numbers and which serve as the basisfor generating encryption keys. Moreover, the QKD transmitter 1 performsshifting, an error correction (EC) process, and a privacy amplification(PA) process based on the photon bit string that is sent; and generatesan encryption key.

The QKD receiver 2 receives, from the QKD transmitter 1 via the opticalfiber cable 3, the photon bit string made of single photons that serveas the basis for generating encryption keys. Then, the QKD receiver 2performs a shifting process, an error correction process, and a privacyamplification process based on the photon bit string that is received,and generates an encryption key that is identical to the encryption keygenerated by the QKD transmitter 1. That is, the QKD transmitter 1 andthe QKD receiver 2 generate and share identical encryption keys.

The optical fiber cable 3 functions as a quantum communication channelthat is a transmission path for the single photons output by the QKDtransmitter 1. Meanwhile, although not illustrated in FIG. 1, aside fromthe quantum communication channel in the form of the optical fiber cable3, the QKD transmitter 1 and the QKD receiver 2 are connected to eachother by a communication cable (a classical communication channel) thatis used in communicating regular digital data of 0s and 1s. Theclassical communication channel need not be a wired communicationchannel, and can be a wireless communication channel.

Because of the quantum key distribution system 100 including the QKDtransmitter 1 and the QKD receiver 2; in case the single photonstransmitted by the QKD transmitter 1 are tapped by an eavesdropper fromthe optical fiber cable 3 functioning as the quantum communicationchannel, the photons undergo physical changes thereby enabling the QKDreceiver 2 that has received the photons to know that the photons havebeen tapped by an eavesdropper. Meanwhile, regarding an encryption keygeneration process performed by the QKD transmitter 1 and the QKDreceiver 2, the detailed explanation is given later. Moreover, whilecollectively referring to the QKD transmitter 1 and the QKD receiver 2,the term “QKD device” is used.

FIG. 2 is a diagram illustrating a configuration example of a quantumkey distribution network. Thus, the explanation about the quantum keydistribution network is given with reference to FIG. 2.

The quantum key distribution network mainly includes two networks,namely, a key sharing network and a cryptographic-data communicationnetwork. With reference to FIG. 2, the quantum key distribution networkincludes a key sharing network 200, private networks 201 a and 201 b,and a cryptographic-data communication network 202.

As illustrated in FIG. 2, the key sharing network 200 includes nodes 50a to 50 c that function as QKD devices. The node 50 a and the node 50 bare connected to each other by a quantum communication channel. One ofthe nodes 50 a and 50 b functions as the transmitter and the other nodefunctions as the receiver. Thus, as described above, the nodes 50 a and50 b generate identical encryption keys. The same is true in the case ofthe node 50 a and the node 50 c. In this way, the identical encryptionkeys generated and shared by mutually-connected QKD devices are referredto as a link key. Meanwhile, the quantum key distribution system 100 isincluded in the key sharing network 200.

As illustrated in FIG. 2, the node 50 b and the node 50 c are notdirectly connected to each other by a quantum communication channel. Inthis case, the node 50 a and the node 50 b that are directly connectedto each other by a quantum communication channel generate identicalencryption keys (a link key a-b). In an identical manner, the node 50 aand the node 50 c that are directly connected to each other by a quantumcommunication channel generate identical encryption keys (a link keya-c) different than the link key a-b. Then, the node 50 c separatelygenerates an encryption key (referred to as an “application key b-c”)using random numbers; encrypts the application key b-c with the link keya-c; and transmits the encrypted application key b-c to the node 50 avia the classical communication channel. Then, the node 50 a decryptsthe received application key b-c with the link key a-c; encrypts thenow-decrypted application key b-c with the link key a-b; and sends thenewly-encrypted application key b-c to the node 50 b via the classicalcommunication channel. Subsequently, the node 50 b decrypts the receivedapplication key b-c with the link key a-b and holds the decryptedapplication key b-c. As a result, the node 50 b and the node 50 c happento share the application key b-c as identical encryption keys.

As illustrated in FIG. 2, the private network 201 a includes the node 50b, an application 60 a, and an application 60 b. Herein, the privatenetwork 201 a is configured under the premise that communication betweenthe information processing devices constituting the private network 201a (In the example illustrated in FIG. 2, safety of communication betweenthe node 50 b, the application 60 a, and the application 60 b) issecured from the safety perspective. The same is true in the case of theprivate network 201 b (described later).

The applications 60 a and 60 b are information processing devices thatexecute applications having predetermined functions. Moreover, theapplications 60 a and 60 b respectively receive encryption keys 70 a and70 b (link keys or application keys) from the node 50 b. Then, using theencryption keys 70 a and 70 b, the applications 60 a and 60 b performcryptographic communication with the information processing devicesincluded in other networks (such as, the private network 201 billustrated in FIG. 2) via the cryptographic-data communication network202.

As illustrated in FIG. 2, the private network 201 b includes the node 50c, an application 61 a, and an application 61 b.

The applications 61 a and 61 b are information processing devices thatexecute applications having predetermined functions. Moreover, theapplications 61 a and 61 b respectively receive encryption keys 70 a and70 b (link keys or application keys) from the node 50 c. Then, usingencryption keys 71 a and 71 b, the applications 61 a and 61 b performcryptographic communication with the information processing devicesincluded in other networks (such as, the private network 201 aillustrated in FIG. 2) via the cryptographic-data communication network202.

For example, the cryptographic communication between the application 60a of the private network 201 a and the application 61 a of the privatenetwork 201 b is performed in the following manner. Firstly, in the keysharing network 200, as described above, the nodes 50 b and 50 c shareidentical encryption keys in the form of an application key. In theexample illustrated in FIG. 2, it is assumed that the encryption key 70a belonging to the node 50 b and the encryption key 71 a belonging tothe node 50 c are identical encryption keys (application keys). Then,the node 50 b sends the encryption key 70 a to the application 60 a, andthe node 50 c sends the encryption key 71 a to the application 61 a.Subsequently, the applications 60 a and 61 a encrypt the target data forcommunication respectively using the encryption keys 70 a and 71 a,which are identical encryption keys.

FIG. 3 is a diagram illustrating an exemplary block configuration of theQKD transmitter and the QKD receiver according to the first embodiment.Thus, the explanation of a functional block configuration of the QKDtransmitter 1 and the QKD receiver 2 is given with reference to FIG. 3.

The QKD transmitter 1 includes a quantum key sharing unit 10, an ECprocessor 11 (an error correcting unit), a PA processor 12 (acompressor), a classical communication unit 13, a key management unit14, a key provider 15, a storage 16, and a controller 17.

For example, the quantum key sharing unit 10 sends, to the QKD receiver2 via the quantum communication channel (i.e., via the optical fibercable 3 illustrated in FIG. 1), a photon bit string made of singlephotons having a state based on base information generated in a randommanner as against a bit string generated using random numbers. Then, thequantum key sharing unit 10 receives, via the classical communicationchannel, the base information generated in a random manner by the QKDreceiver 2 (by a quantum key sharing unit 20 (described later)) for thepurpose of reading a photon bit string received. Subsequently, thequantum key sharing unit 10 compares the base information generated byitself with the base information received from the quantum key sharingunit 20; extracts the bits corresponding to the matching portion fromthe photon bit strings; and treats the extracted bits as a shared bitstring. The length of the shared bit string is determined based on thebase information generated in a random manner by the quantum key sharingunits 10 and 20. Hence, if the selection of the base information isgenuinely random in nature; then, statistically, the length of theshared bit string is substantially half of the photon bit strings.

The EC processor 11 exchanges control data (EC information) with an ECprocessor 21 (described later) via the classical communication channel;corrects the bit errors in the shared bit string; and generates acorrected bit string. Herein, the corrected bit string generated by theEC processor 11 matches with a corrected bit string that is generated bythe EC processor 21 (described later) by performing correction withrespect to the shared bit string.

The PA processor 12 receives control data (PA information) from a PAprocessor 22 (described later) via the classical communication channel;and performs a key compression process (a privacy amplification process)with respect to the corrected bit string with the aim of cancelling out,from the number of errors corrected by the EC processor 11, the bitsthat are likely to have been tapped by an eavesdropper during theoperations of the quantum key sharing unit 10 and the EC processor 11.Herein, the bit string obtained by the PA processor 12 by performing thekey compression process with respect to the corrected bit string isreferred to as a key bit string and serves as the encryption key.

The classical communication unit 13 is, as described above, acommunication interface that enables the quantum key sharing unit 10,the EC processor 11, and the PA processor 12 to send control data to andreceive control data from the QKD receiver 2. Herein, the classicalcommunication unit 13 can either be a wired interface or a wirelessinterface.

The key management unit 14 stores the encryption keys (the key bitstring), which are generated by the PA processor 12, in the storage 16,and manages the stored encryption keys. Aside from the encryption keys(the key bit string), the key management unit 14 can also store at leasteither the photon bit string and the shared bit string generated by thequantum key sharing unit 10 or the corrected bit string generated by theEC processor 11. The key provider 15 obtains an encryption key from thestorage 16 as may be necessary, and provides the encryption key to anexternal application. Herein, the storage 16 is a storage device used tostore the encryption keys generated by the PA processor 12.

The controller 17 performs overall control of the QKD transmitter 1. Thecontroller 17 entirely or partially deletes the shared bit string, thecorrected bit string, or the key bit string; and does not send thedeleted portion to the subsequent processors. The details of thisprocess are given later as a restraining operation of encryption keys.

Meanwhile, the quantum key sharing unit 10, the EC processor 11, the PAprocessor 12, the key management unit 14, the key provider 15, and thecontroller 17 can be implemented either using computer programs that areexecuted in a central processing unit (CPU) 80 (described later) orusing hardware circuitry.

The QKD receiver 2 includes the quantum key sharing unit 20, the ECprocessor 21 (error correcting unit), the PA processor 22 (compressor),a classical communication unit 23, a key management unit 24, a keyprovider 25, a storage 26, and a controller 27.

The quantum key sharing unit 20 receives the photon bit string from theQKD transmitter 1 via the quantum communication channel (i.e., via theoptical fiber cable 3 illustrated in FIG. 1), and reads the photon bitstring based on the base information generated in a random manner. Then,the quantum key sharing unit 20 receives, via the classicalcommunication channel, the base information that is generated in arandom manner by the QKD transmitter 1 (the quantum key sharing unit 10)for the purpose of sending the photon bit string. Subsequently, thequantum key sharing unit 20 compares the base information generated byitself with the base information received from the quantum key sharingunit 10; extracts the bits corresponding to the matching portion fromthe photon bit strings; and treats the extracted bits as a shared bitstring. The length of the shared bit string is determined based on thebase information generated in a random manner by the quantum key sharingunits 10 and 20. Hence, if the selection of the base information isgenuinely random in nature; then, statistically, the length of theshared bit string is substantially half of the photon bit strings.

The EC processor 21 exchanges control data (EC information) with the ECprocessor 11 via the classical communication channel; corrects the biterrors in the shared bit string; and generates a corrected bit string.Herein, the corrected bit string generated by the EC processor 21matches with the corrected bit string generated by the EC processor 11by performing correction with respect to the shared bit string.

The PA processor 22 sends control data (PA information) to the PAprocessor 12 via the classical communication channel; and performs a keycompression process (a privacy amplification process) with respect tothe corrected bit string with the aim of cancelling out, from the numberof errors corrected by the EC processor 21, the bits that are likely tohave been tapped by an eavesdropper during the operations of the quantumkey sharing unit 20 and the EC processor 21. Herein, the bit stringobtained by the PA processor 22 by performing the key compressionprocess with respect to the corrected bit string is referred to as a keybit string and serves as the encryption key.

The classical communication unit 23 is, as described above, acommunication interface that enables the quantum key sharing unit 20,the EC processor 21, and the PA processor 22 to send control data to andreceive control data from the QKD transmitter 1. Herein, the classicalcommunication unit 23 can either be a wired interface or a wirelessinterface.

The key management unit 24 stores the encryption keys (the key bitstring), which are generated by the PA processor 22, in the storage 26,and manages the encryption keys. Aside from the encryption key (the keybit string), the key management unit 24 can also store at least eitherthe photon bit string and the shared bit string generated by the quantumkey sharing unit 20 or the corrected bit string generated by the ECprocessor 21. The key provider 25 obtains an encryption key from thestorage 26 as may be necessary, and provides the encryption key to anexternal application. Herein, the storage 26 is a storage device used tostore the encryption key generated by the PA processor 22.

The controller 27 performs overall control of the QKD receiver 2. Thecontroller 27 entirely or partially deletes the shared bit string, thecorrected bit string, or the key bit string; and does not send thedeleted portion to the subsequent processors. The details of thisprocess are given later.

Meanwhile, the quantum key sharing unit 20, the EC processor 21, the PAprocessor 22, the key management unit 24, the key provider 25, and thecontroller 27 can be implemented either using computer programs that areexecuted in the CPU 80 (described later) or using hardware circuitry.

FIG. 4 is a sequence diagram illustrating an example of the operationsperformed by the QKD transmitter and the QKD receiver. FIG. 5 is adiagram for explaining the key compression process. Thus, an encryptionkey generation process performed by the QKD transmitter 1 and the QKDreceiver 2 is explained with reference to FIGS. 4 and 5.

Step S11

For example, the quantum key sharing unit 10 of the QKD transmitter 1sends, to the quantum key sharing unit 20 of the QKD receiver 2 via thequantum communication channel, a photon bit string made of singlephotons having a state based on base information that is generated in arandom manner as against a bit string generated using random numbers.Thus, the quantum key sharing unit 20 receives the photon bit stringfrom the quantum key sharing unit 10 via the classical communicationchannel, and reads the photon bit string based on the base informationgenerated in a random manner.

Step S12

The quantum key sharing unit 10 receives the base information, which isgenerated in a random manner by the quantum key sharing unit 20 for thepurpose of reading the received photon bit string, via the classicalcommunication channel. On the other hand, the quantum key sharing unit20 receives the base information, which is generated in a random mannerby the quantum key sharing unit 10 for the purpose of sending the photonbit string, via the classical communication channel.

Step S13

The quantum key sharing unit 10 performs a shifting process in which itcompares the base information generated by itself with the baseinformation received from the quantum key sharing unit 20; extracts thebits corresponding to the matching portion from the photon bit strings;and treats the extracted bits as a shared bit string. Then, the quantumkey sharing unit 10 sends the shared bit string to the EC processor 11.

Step S14

The quantum key sharing unit 20 performs a shifting process in which itcompares the base information generated by itself with the baseinformation received from the quantum key sharing unit 10; extracts thebits corresponding to the matching portion from the photon bit strings;and treats the extracted bits as a shared bit string. Then, the quantumkey sharing unit 20 sends the shared bit string to the EC processor 21.

Step S15

The EC processor 11 of the QKD transmitter 1 and the EC processor 21 ofthe QKD receiver 2 exchange EC information, which represents the controldata for correcting the errors in the shared bit strings, via theclassical communication channel.

Step S16

Based on the EC information exchanged with the EC processor 21 via theclassical communication channel, the EC processor 11 performs an ECprocess in which it corrects the bit errors in the shared bit string andgenerates a corrected bit string. Herein, the corrected bit stringgenerated by the EC processor 11 matches with a corrected bit stringgenerated by the EC processor 21 by performing correction with respectto the shared bit string. Then, the EC processor 11 sends the correctedbit string to the PA processor 12.

Step S17

Based on the EC information exchanged with the EC processor 11 via theclassical communication channel, the EC processor 21 performs an ECprocess that includes correction of the bit errors in the shared bitstring and generation of a corrected bit string. Herein, the correctedbit string generated by the EC processor 21 matches with the correctedbit string generated by the EC processor 11 by performing correctionwith respect to the shared bit string. Then, the EC processor 21 sendsthe corrected bit string to the PA processor 22.

Step S18

The PA processor 22 of the QKD receiver 2 sends PA information (such asrandom numbers and length information of the encryption key) to the PAprocessor 12 of the QKD transmitter 1 via the classical communicationchannel. Thus, the PA processor 12 receives the PA information from thePA processor 22 via the classical communication channel.

Step S19

Based on the received PA information, the PA processor 12 performs a keycompression process (a privacy amplification process, a PA process) withrespect to the corrected bit string with the aim of cancelling out, fromthe number of errors corrected by the EC processor 11, the bits that arelikely to have been tapped by an eavesdropper during the operations ofthe quantum key sharing unit 10 and the EC processor 11. Moreparticularly, as illustrated in FIG. 5, the PA processor 12 generates ahash function in the form of an n×s matrix from a length n of thecorrected bit string generated by the EC processor 11, the randomnumbers included in the PA information, and a length s of the encryptionkey. Then, the PA processor 12 multiplies the hash function to thecorrected bit string, and generates an encryption key (a key bit string)having the length s. Subsequently, the PA processor 12 sends thegenerated encryption key to the key management unit 14. Meanwhile, themethod implemented for the key compression process is not limited tousing the hash function as described above. That is, the key compressionprocess can be performed using other methods.

Step S20

Based on the received PA information, the PA processor 22 performs a keycompression process (a privacy amplification process, a PA process) withrespect to the corrected bit string with the aim of cancelling out, fromthe number of errors corrected by the EC processor 21, the bits that arelikely to have been tapped by an eavesdropper during the operations ofthe quantum key sharing unit 20 and the EC processor 21. Moreparticularly, in an identical manner to the PA processor 12, the PAprocessor 22 generates an encryption key (a key bit string); and sendsthe generated encryption key to the key management unit 24.

Step S21

The key management unit 14 stores the encryption key, which is generatedby the PA processor 12, in the storage 16 and manages the encryptionkey. Then, the key provider 15 retrieves the encryption key from thestorage 16 as may be necessary, and provides it to an externalapplication.

Step S22

The key management unit 24 stores the encryption key, which is generatedby the PA processor 22, in the storage 26 and manages the encryptionkey. Then, the key provider 25 retrieves the encryption key from thestorage 26 as may be necessary, and provides it to an externalapplication.

As a result of performing the operations described above, identicalencryption keys are generated in the QKD transmitter 1 and the QKDreceiver 2. Herein, the encryption keys generated as a result ofperforming the operations described above are one-time pad keys that canbe used only once. Hence, because of the operations described above,different encryption keys are generated in a repeated manner.

In the quantum key distribution system 100, the encryption keys that aregenerated are used by various applications performing cryptographiccommunication. Usually, if many encryption keys are generated, thenthere is a proportional increase in the encryption strength andcommunicable time of the cryptographic communication. Hence, it isdesired that encryption keys having a large size be generated with ahigh frequency. However, in the quantum key distribution system 100, ifthe encryption keys are generated at random, it leads to an increase inthe processing load of the QKD transmitter 1 and the QKD receiver 2.Moreover, if there is a decrease in the frequency of usage of theencryption keys, then it may place burden on the amount of availablespace in the storages 16 and 26 that are used in storing the encryptionkeys.

Thus, in the quantum key distribution system 100, in order to avoid sucha situation, it is necessary to perform a restraining operation in whichthe frequency of generating the encryption keys is reduced or the sizeof the encryption keys is reduced according to various conditions(examples of the conditions are described later). More particularly, thecontroller 17 (the controller 27) needs to ensure that the total numberof bits of one or more encryption keys generated per unit time by the PAprocessor 12 (the PA processor 22) as a result of performing therestraining operation is smaller than the total number of bits of theone or more encryption keys generated per unit time by the PA processor12 (the PA processor 22) in the case of not performing the restrainingoperation.

Meanwhile, as described above, during the transmission and reception ofphoton bit strings by the quantum key sharing unit 10 and the quantumkey sharing unit 20 via the quantum communication channel as well aswhile performing the shifting process, it is necessary to havesynchronization between the receiver and the transmitter. Hence, if theoperations are temporarily stopped, then the temporal cost of restartingthe operations is high. Therefore, it is not neither desirable to stopthe transmission and reception of photon bit strings by the quantum keysharing unit 10 and the quantum key sharing unit 20 via the quantumcommunication channel nor desirable to stop the shifting process. Hence,the premise herein is that, while the QKD transmitter 1 and the QKDreceiver 2 are in operation, the transmission and reception of photonbit strings by the quantum key sharing unit 10 and the quantum keysharing unit 20 via the quantum communication channel is performedwithout interruption as well as the shifting process is performedwithout interruption. That is, the premise is that the quantum keysharing unit 10 and the quantum key sharing unit 20 constantly generatethe shared bit strings.

In the first embodiment, in the quantum key distribution system 100, oneof the following restraining operations (A) to (C) is performed.

(A) One, some, or all of the encryption keys (key bit strings) generatedby the PA processor 12 (the PA processor 22) are either deleted withoutsending them to the key management unit 14 (the key management unit 24)or reduced in size.

(B) One, some, or all of the corrected bit strings generated by the ECprocessor 11 (the EC processor 21) are either deleted without sendingthem to the PA processor 12 (the PA processor 22) or reduced in size.

(C) One, some, or all of the shared bit strings generated by the quantumkey sharing unit 10 (the quantum key sharing unit 20) are either deletedwithout sending them to the EC processor 11 (the EC processor 21) orreduced in size.

Regarding each of the restraining operations (A) to (C), the explanationis given with reference to the restraining operation performed in theQKD transmitter 1. The restraining operation performed in the QKDreceiver 2 is identical to the restraining operation performed in theQKD transmitter 1.

Firstly, the explanation is given about the restraining operation (A).The controller 17 of the QKD transmitter 1 either deletes one, some, orall of the encryption keys (the key bit strings) generated by the PAprocessor 12 without sending them to the key management unit 14, orreduces the size of one, some, or all of the encryption keys. In thecase in which the controller 17 deletes one or some of the encryptionkeys generated by the PA processor 12, the remaining encryption keys aresubjected to the processes from Step S21 onward illustrated in FIG. 4.Thus, eventually, some encryption keys are generated and stored in thestorage 16. Meanwhile, regarding which encryption keys are to be deletedor reduced in size or regarding the manner in which the encryption keysare to be deleted, the controller 17 achieves synchronization with thecontroller 27 of the QKD receiver 2. More particularly, the controller17 shares, with the controller 27 via the classical communicationchannel, the IDs of the encryption keys to be deleted or reduced insize, the information regarding the method of achieving size reduction,and the information regarding the method of deletion.

In this way, as a result of performing the restraining operation (A), itbecomes possible to reduce the number and the frequency of generation ofthe encryption keys that are eventually stored in the storages, and toreduce the size of the stored encryption keys. Moreover, at the stage atwhich the process of sequentially generating the encryption keys iscompleted, the encryption keys are deleted or reduced in size. Hence,the restraining operation of the controller 17 can be implemented in asimple manner.

Next, the explanation is given about the restraining operation (B). Thecontroller 17 of the QKD transmitter 1 either deletes one, some, or allof the corrected bit strings generated by the EC processor 11 withoutsending them to the PA processor 12, or reduces the size of one, some,or all of the corrected bit strings. In the case in which the controller17 deletes one or some of the corrected bit strings generated by the ECprocessor 11, the remaining corrected bit strings are subjected to theprocesses from Step S18 onward illustrated in FIG. 4. Thus, eventually,some corrected bit strings are generated and stored in the storage 16.Meanwhile, regarding which corrected bit strings are to be deleted orreduced in size or regarding the manner in which the corrected bitstrings are to be deleted, the controller 17 achieves synchronizationwith the controller 27 of the QKD receiver 2. More particularly, thecontroller 17 shares, with the controller 27 via the classicalcommunication channel, the IDs of the corrected bit strings to bedeleted or reduced in size, the information regarding the method ofachieving size reduction, and the information regarding the method ofdeletion.

In this way, as a result of performing the restraining operation (B), itbecomes possible to reduce the number and the frequency of generation ofthe encryption keys, which are eventually stored in the storages, by thenumber of corrected bit strings that are deleted; and to reduce the sizeof the stored encryption keys by the amount equal to the reduced size ofthe corrected bit strings. Moreover, since there is a decrease in theprocessing amount from Step S18 onward illustrated in FIG. 4, theprocessing load of the QKD transmitter 1 and the QKD receiver 2 isreduced. In this case, when the controller 17 deletes all of thecorrected bit strings, the PA processor 12 may stop to perform the keycompression process. Furthermore, this restraining operation can beimplemented in the case in which the operations till the generation ofthe corrected bit strings are performed and followed by operations witha different purpose such as collecting statistical information of theerror rate.

Next, the explanation is given about the restraining operation (C). Thecontroller 17 of the QKD transmitter 1 either deletes one, some, or allof the shared bit strings generated by the quantum key sharing unit 10without sending them to the EC processor 11, or reduces the size of one,some, or some of the shared bit strings. In the case in which thecontroller 17 deletes one or some of the shared bit strings generated bythe quantum key sharing unit 10, the remaining shared bit strings aresubjected to the operations from Step S15 onward illustrated in FIG. 4.Thus, eventually, some encryption keys are generated and stored in thestorage 16. Meanwhile, regarding which shared bit strings are to bedeleted or reduced in size or regarding the manner in which the sharedbit strings are to be deleted, the controller 17 achievessynchronization with the controller 27 of the QKD receiver 2. Moreparticularly, the controller 17 shares, with the controller 27 via theclassical communication channel, the IDs of the corrected bit strings tobe deleted or reduced in size, the information regarding the method ofachieving size reduction, and the information regarding the method ofdeletion.

In this way, as a result of performing the restraining operation (C), itbecomes possible to reduce the number and the frequency of generation ofthe encryption keys, which are eventually stored in the storages, by thenumber of shared bit strings that are deleted; and to reduce the size ofthe stored encryption keys by the amount equal to the reduced size ofthe shared bit strings. Moreover, since there is a decrease in theprocessing amount from Step S15 onward illustrated in FIG. 4, theprocessing load of the QKD transmitter 1 and the QKD receiver 2 isreduced. In this case, when the controller 17 deletes all of the sharedbit strings, either one of the error correction process performed by theEC processor 11 or the key compression process performed by the PAprocessor 12 may be stopped.

Meanwhile, the controller 17 is not limited perform only one of therestraining operations (A) to (C), and can arbitrarily combine therestraining operations.

The restraining operations (A) to (C) need to be performed according tothe various conditions described above. Herein, the scope of arestraining operation, that is, the extent of lowering the frequency ofgeneration of the encryption keys or the extent of reducing the size ofthe encryption keys is referred to as a restraining amount. Explainedbelow are exemplary parameters that serve as the conditions fordetermining the restraining amount.

(i) link priority: indicates the priority set for each quantum keydistribution system (link (coupling) between two QKD devices) thatconstitutes the key sharing network 200 illustrated in FIG. 2. Higherthe priority of a link, smaller is the restraining amount. On the otherhand, lower the priority of link, greater is the restraining amount.

(ii) application priority: indicates the priority set for each type ofapplications that make use of encryption keys. Higher the priority ofthe application being executed, smaller is the restraining amount. Onthe other hand, lower the priority of the application being executed,greater is the restraining amount.

(iii) in-execution application count: indicates the number ofapplications being executed using encryption keys. Greater the number ofin-execution applications, smaller is the restraining amount. On theother hand, smaller the number of in-execution applications, greater isthe restraining amount.

(iv) encryption key usage frequency: indicates the frequency with whichan application makes use of encryption keys. The greater the usagefrequency, the smaller the restraining amount. On the other hand, thesmaller the usage frequency, the greater the restraining amount.

(v) available storage space: indicates the available storage space inthe storages 16 and 26 that are used in storing encryption keys. Thegreater the available storage space, the smaller the restraining amount.On the other hand, the smaller the usage frequency, the greater therestraining amount.

(vi) encryption key storage volume: indicates the volume of storedencryption keys (the number of stored encryption keys or the total datasize of the stored encryption keys). The smaller the encryption keystorage volume, the smaller the restraining amount. On the other hand,the greater the encryption key storage volume, the greater therestraining amount.

The controller 17 and the controller 27 determine the restraining amountaccording to at least one of the parameters described above, and performthe restraining operation based on the determined restraining amount.Moreover, as far as the parameters described above are concerned, it isnecessary to get to know the matching parameters in the QKD transmitter1 and the QKD receiver 2. Hence, the QKD transmitter 1 (or the QKDreceiver 2) collects the necessary information for determining theparameters, and sends those parameters to the QKD receiver 2 (or the QKDtransmitter 1) via the classical communication channel. Then, based onthe matching parameters, the controllers 17 and 27 perform therestraining operation.

Of the parameters described above, the parameters (iii) to (v) aredynamically variable according to the operations performed by the QKDtransmitter 1 and the QKD receiver 2 and according to the operationsperformed by information processing devices connected to the QKD device.Thus, for example, the configuration can be such that, if a particularparameter falls below a predetermined threshold value (a first thresholdvalue), the controller 17 (or the controller 27) performs therestraining operation. On the other hand, the configuration can be suchthat, when a particular parameter exceeds the same threshold value or adifferent threshold value (a second threshold value), the controller 17(or the controller 27) stops performing the restraining operation.

FIG. 6 is a diagram for explaining an operation of adjusting assignmentof encryption key generation. Thus, explained below with reference toFIG. 6 is a specific restraining operation in the case in which, forexample, the parameters (i) link priority and (iii) in-executionapplication count are taken into account.

As illustrated in FIG. 6, a quantum key distribution system 100 a doesnot configure a system in which a single QKD transmitter and a singleQKD receiver are connected via a quantum communication channel asillustrated in FIG. 1 but configures a quantum access network describedabove. The quantum key distribution system 100 a includes QKDtransmitters 1 a to 1 c, a QKD receiver 2 a, and an optical device 4.

Each of the QKD transmitters 1 a to 1 c is connected to the input sideof the optical device 4 via a quantum communication cable (an opticalfiber cable). Moreover, the QKD transmitters 1 a to 1 c include storages16 a to 16 c, respectively.

The QKD receiver 2 a is connected to the output side of the opticaldevice 4 via a quantum communication channel (an optical fiber cable).Moreover, the QKD receiver 2 a includes a storage 26 a.

As illustrated in FIG. 6, in the quantum key distribution system 100 a,there are three types of links, namely, a link between the QKDtransmitter 1 a and the QKD receiver 2 a (hereinafter, called a link A),a link between the QKD transmitter 1 b and the QKD receiver 2 a(hereinafter, called a link B), and a link between the QKD transmitter 1c and the QKD receiver 2 a (hereinafter, called a link C). For each ofthese links, an identical encryption key is generated and sharedaccording to the operations illustrated in FIG. 4.

The QKD transmitter 1 a is connected to an external device that iscapable of communicating with the QKD transmitter 1 a and that executesthree types of applications, namely, applications 500 to 502. Meanwhile,there need not be only a single external device. Alternatively, forexample, there can be three external devices each executing one of theapplications 500 to 502. Still alternatively, there can be two externaldevices one of which executes the applications 500 and 501, while theother external device executes the application 502. Meanwhile, at leastone of the applications 500 to 502 may be executed by the QKDtransmitter 1 a instead of an external device.

The QKD transmitter 1 c is connected to an external device that iscapable of communicating with the QKD transmitter 1 c and that executesan application 503 c. However, alternatively, the application 503 c maybe executed by the QKD transmitter 1 c instead of an external device.

The QKD receiver 2 a is connected to an external device that is capableof communicating with the QKD receiver 2 a and that executes four typesof applications, namely, applications 500 a to 503 a. Meanwhile, thereneed not be only a single external device. Alternatively, there can betwo external devices one of which executes the applications 500 a and501 a, while the other external device executes the applications 502 aand 503 a. Meanwhile, at least one of the applications 500 a to 503 amay be executed by the QKD receiver 2 a instead of an external device.

The application 500, the application 501, the application 502, and theapplication 503 c respectively correspond to the applications 500 a to503 a; and data communication is performed between the applications. TheQKD transmitter 1 a and the QKD receiver 2 a generate encryption keysthat enable the applications 500 to 502 to perform cryptographiccommunication with the applications 500 a to 502 a, respectively. Then,an encryption key 600 a representing a bundle of generated encryptionkeys is stored in the storages 16 a and 26 a. The QKD transmitter 1 cand the QKD receiver 2 a generate encryption keys that enable theapplication 503 c to perform cryptographic communication with theapplication 503 a. Then, an encryption key 600 c representing a bundleof generated encryption keys is stored in the storages 16 a and 26 a.Herein, it is assumed that no application is being executed in theexternal devices connected to the QKD transmitter 1 b and the QKDreceiver 2 a or no application is being executed in the QKD transmitter1 b and the QKD receiver 2 a. However, the QKD transmitter 1 b and theQKD receiver 2 a generate encryption keys for the link B and store anencryption key 600 b, which represents the bundle of generatedencryption keys, in the storages 16 a and 26 a, respectively. Meanwhile,the links A to C are assigned with link priorities YA to YC,respectively, that satisfy the relationship of YA=YC<YB.

Given below is the explanation of the restraining operation performed inthe abovementioned state of the quantum key distribution system 100 a.The number (types) of in-execution applications corresponding to thelink A is three, while the number (types) of in-execution applicationscorresponding to the link C is one. Hence, the restraining amount forthe restraining operation performed by the QKD transmitter 1 a and theQKD receiver 2 a corresponding to the link A is set to be smaller thanthe restraining amount for the restraining operation performed by theQKD transmitter 1 c and the QKD receiver 2 a corresponding to the linkC. As a result, the number of encryption keys 600 a generated in thelink A becomes greater than the number of encryption keys 600 cgenerated in the link C.

The priority YB of the link B is higher than the priority YA (thepriority YC) of the link A (the link C). Hence, although the number ofin-execution applications corresponding to the link B is zero, therestraining operation performed with the restraining amount based on thelink priority YB results in the generation of a predetermined number ofencryption keys 600 b in the link B.

In this way, based on the parameters related thereto, the QKDtransmitter 1 and the QKD receiver 2 determine the restraining amountfor the restraining operation. With that, it becomes possible for theQKD transmitter 1 and the QKD receiver 2 to generate encryption keysupon performing the restraining operation with a suitable restrainingamount. Hence, it becomes possible to reduce the processing load of theQKD transmitter 1 and the QKD receiver 2 while ensuring normality in thecryptographic communication performed by the applications using theencryption keys. Moreover, it becomes possible to avoid a situation ofplacing burden on the amount of available space in the storages 16 and26 that are used in storing the encryption keys. Thus, it becomespossible to reduce the consumption of resources of the QKD transmitter 1and the QKD receiver 2 in the quantum key distribution system 100.

As a result of performing the restraining operation (A) described above,it becomes possible to reduce the number and the frequency of generationof the encryption keys that are eventually stored in the storages, aswell as to reduce the size of the stored encryption keys. Moreover, oncethe operation of generating a series of encryption keys is completed,the encryption keys are deleted or the size of the encryption keys isreduced. As a result, the restraining operation by the controller 17 canbe implemented in a simple manner.

As a result of performing the restraining operation (B) described above,it becomes possible to reduce the number and the frequency of generationof the encryption keys, which are eventually stored in the storages, bythe number of corrected bit strings that are deleted; and to reduce thesize of the stored encryption keys by the amount equal to the reducedsize of the corrected bit strings. Moreover, since there is a decreasein the processing amount from Step S18 onward illustrated in FIG. 4, theprocessing load of the QKD transmitter 1 and the QKD receiver 2 isreduced. Furthermore, this restraining operation can be implemented inthe case in which the operations till the generation of the correctedbit strings are performed and followed by operations with a differentpurpose such as collecting statistical information of the error rate.

As a result of performing the restraining operation (C) described above,it becomes possible to reduce the number and the frequency of generationof the encryption keys, which are eventually stored in the storages, bythe number of shared bit strings that are deleted; and to reduce thesize of the stored encryption keys by the amount equal to the reducedsize of the shared bit strings. Moreover, since there is a decrease inthe processing amount from Step S15 onward illustrated in FIG. 4, theprocessing load of the QKD transmitter 1 and the QKD receiver 2 isreduced.

Second Embodiment

Regarding the configuration and operations of a quantum key distributionsystem according to a second embodiment, the explanation is given with afocus on the differences with the quantum key distribution systems 100and 100 a according to the first embodiment. Herein, the configurationof the quantum key distribution system according to the secondembodiment is identical to the first embodiment; and the configurationof a quantum key distribution network including that quantum keydistribution system is also identical to the first embodiment.

FIG. 7 is a diagram illustrating an exemplary block configuration of aQKD transmitter and a QKD receiver according to the second embodiment.Thus, the explanation of a functional block configuration of a QKDtransmitter 1 d and a QKD receiver 2 d in a quantum key distributionsystem 100 b is given below with reference to FIG. 7.

The QKD transmitter 1 d includes the quantum key sharing unit 10, the ECprocessor 11, a PA processor 12 a (a compressor), the classicalcommunication unit 13, the key management unit 14, the key provider 15,the storage 16, and a controller 17 a.

The controller 17 a performs overall control of the QKD transmitter 1 d.As part of the restraining operation regarding encryption keys, thecontroller 17 a receives information about the length s of encryptionkeys from a controller 27 a as part of the PA information and sends thatinformation to the PA processor 12 a. The details of the restrainingoperation regarding encryption keys as performed by the controllers 17 aand 27 a are given later.

The PA processor 12 a receives, from the controller 17 a, a part of thePA information in the form of information about the length s ofencryption keys calculated by a key length calculator 271 a (describedlater); and receives, from a PA processor 22 a via the classicalcommunication channel, a part of the PA information in the form ofinformation about random numbers. The PA processor 12 a performs a keycompression process (a privacy amplification process) with respect tothe corrected bit string with the aim of cancelling out the bits thatare likely to have been tapped by an eavesdropper during the operationsof the quantum key sharing unit 10 and the EC processor 11. Moreparticularly, as illustrated in FIG. 5, the PA processor 12 a generatesa hash function in the form of an n×s matrix from the length n of thecorrected bit string generated by the EC processor 11, the length s ofencryption keys included in the PA information, and random numbers.Then, the PA processor 12 a multiplies the hash function to thecorrected bit string, and generates an encryption key (a key bit string)having the length s. Subsequently, the PA processor 12 a sends thegenerated encryption key to the key management unit 14.

The key management unit 14 stores the encryption keys (the key bitstring), which are generated by the PA processor 12 a, in the storage16, and manages those encryption keys.

Meanwhile, the quantum key sharing unit 10, the EC processor 11, the PAprocessor 12 a, the key management unit 14, the key provider 15, and thecontroller 17 a can be implemented either using computer programs thatare executed in a CPU or using hardware circuitry.

The QKD receiver 2 d includes the quantum key sharing unit 20, the ECprocessor 21, the PA processor 22 a (compressor), the classicalcommunication unit 23, the key management unit 24, the key provider 25,the storage 26, and the controller 27 a.

The controller 27 a performs overall control of the QKD receiver 2 d.The controller 27 a includes a parameter collector 270 a and the keylength calculator 271 a. As described above, the controller 27 a sends,to the controller 17 a via the classical communication channel, a partof the PA information in the form of information about the length s ofencryption keys calculated by the key length calculator 271 a. Moreover,the controller 27 a sends, to the PA processor 22 a, a part of the PAinformation in the form of information about the length s of encryptionkeys.

The parameter collector 270 a collects parameters that are used by thekey length calculator 271 a in calculating the length s of encryptionkeys. As the parameters, the parameter collector 270 a collects adetection pulse count Q, an error rate E, an EC efficiency f_(EC) (anerror correction efficiency), and an available storage space S. Thedetails of these parameters are given later.

The key length calculator 271 a calculates, as the restraining operationregarding encryption keys, the length s of encryption keys based on thedetection pulse count Q, the error rate E, the EC efficiency f_(EC), andthe available storage space S collected by the parameter collector 270a. A specific method of calculating the length s of encryption keys isdescribed later in detail. Meanwhile, although the controller 27 a (thekey length calculator 271 a) calculates the length s of encryption keys,that is not the only possible case. Alternatively, the controller 17 acan also calculate the length s of encryption keys.

The PA processor 22 a receives, from the controller 27 a, the PAinformation in the form of the length s of encryption keys that iscalculated by the key length calculator 271 a (described later).Moreover, the PA processor 22 a generates random numbers for generatingthe hash function and sends, to the PA processor 12 a via the classicalcommunication channel, information about the generated random numbers asthe PA information. Moreover, the PA processor 22 a performs a keycompression process (a privacy amplification process) with respect tothe corrected bit string with the aim of cancelling out the bits thatare likely to have been tapped by an eavesdropper during the operationsof the quantum key sharing unit 20 and the EC processor 21. Moreparticularly, as illustrated in FIG. 5, the PA processor 22 a generatesa hash function in the form of an n×s matrix from the length n of thecorrected bit string generated by the EC processor 21, the length s ofencryption keys included in the PA information, and random numbers.Then, the PA processor 22 a multiplies the hash function to thecorrected bit string, and generates an encryption key (a key bit string)having the length s. Subsequently, the PA processor 22 a sends thegenerated encryption key to the key management unit 24.

The key management unit 24 stores the encryption keys (the key bitstring), which are generated by the PA processor 22 a, in the storage26, and manages those encryption keys.

Meanwhile, the quantum key sharing unit 20, the EC processor 21, the PAprocessor 22 a, the key management unit 24, the key provider 25, and thecontroller 27 a can be implemented either using computer programs thatare executed in a CPU or using hardware circuitry.

Explained below with reference to FIGS. 4 and 5 are the operations forgenerating encryption keys as performed by the QKD transmitter 1 d andthe QKD receiver 2 d in the state in which the controllers 17 a and 27 ahave performed the restraining operation. Herein, the explanation isgiven with a focus on the differences with the first embodiment.

Steps S11 to S15

The processes are identical to the processes performed from Steps S11 toS15 according to the first embodiment.

Step S16

Based on the EC information exchanged with the EC processor 21 via theclassical communication channel, the EC processor 11 performs an ECprocess that includes correction of the bit errors in the shared bitstring and generation of a corrected bit string. Herein, the correctedbit string generated by the EC processor 11 matches with a corrected bitstring generated by the EC processor 21 by performing correction withrespect to the shared bit string. Then, the EC processor 11 sends thecorrected bit string to the PA processor 12 a.

Step S17

Based on the EC information exchanged with the EC processor 11 via theclassical communication channel, the EC processor 21 performs an ECprocess that includes correction of the bit errors in the shared bitstring and generation of a corrected bit string. Herein, the correctedbit string generated by the EC processor 21 matches with the correctedbit string generated by the EC processor 11 by performing correctionwith respect to the shared bit string. Then, the EC processor 21 sendsthe corrected bit string to the PA processor 22 a.

Step S18

As the parameters, the parameter collector 270 a of the controller 27 acollects the detection pulse count Q, the error rate E, the ECefficiency f_(EC), and the available storage space S. The detectionpulse count Q represents the bit count of the photon bit stringsgenerated by the quantum key sharing unit 10 and sent to the quantum keysharing unit 20. As described earlier, the length of the shared bitstrings is determined based on the base information generated in arandom manner by the quantum key sharing units 10 and 20. Hence,statistically, the length of the shared bit strings is substantiallyhalf of the photon bit strings, that is, equal to (½)Q.

The error rate E represents the percentage of bits estimated to beerrors in the shared bit string after the shifting process has beenperformed by the quantum key sharing units 10 and 20. The EC efficiencyf_(EC) represents a value that is determined according to the method ofEC process and the error rate E and is determined based on the number oftimes for which the EC information is sent and received via theclassical communication channel accompanying the EC process. That is,greater the number of times for which the EC information is sent andreceived via the classical communication channel, greater is the degreeof vulnerability to tapping. Hence, it leads to an increase in thenumber of bits that need to be deleted, thereby causing a decline the ECefficiency undergoes and an increase in the value of the EC efficiencyf_(EC).

The available storage space S represents a value based on the availablespace in the storages 16 and 26. For example, the available storagespace S can be the average of the available space in the storage 16 andthe available space in the storage 26, or can be the smaller availablespace from among the available space in the storage 16 and the availablespace in the storage 26.

Herein, for example, according to the Shore and Preskill security proofthat authenticates the safety of cryptographic communication based onthe theory of communication, a length R_(secure) of the encryption keysis expressed below in Equation (1) using the detection pulse count Q,the error rate E, and the EC efficiency f_(EC).R _(secure)=½Q{1−H ₂(E)−f _(EC)(E)×H ₂(E)}  (1)where E is an error rate, Q is a detection pulse count, f_(EC)(E) is anEC efficiency (determined according to EC method), and H₂(E) representsa binary entropy function that is the function of the error rate E asillustrated in FIG. 8.

In the second embodiment, the key length calculator 271 a calculates thelength s of cryptography keys according to Equation (2) given below bytaking into account not only the detection pulse count Q, the error rateE, and the EC efficiency f_(EC) but also, for example, the availablestorage space S.s=½Q{1−H ₂(E)−f _(EC)(E)×H ₂(E)}×f′(S)  (2)where E is an error rate, Q is a detection pulse count, f_(EC)(E) is anEC efficiency (determined according to EC method), H₂(E) represents abinary entropy function, S represents an available storage space, andf′(S) represents an available storage space term that is 1 if S>S₀; 0 orS/S₀ if S≦S₀.

With respect to the length of the encryption key that is calculatedaccording to Equation (1) given above and that is authenticated forsafety of cryptographic communication, a change occurring in thedirection of reduction does not have any effect on the authentication.That is, there is no decline in the strength of the safety of theauthenticated cryptographic communication. Thus, in Equation (2) givenabove, since an available storage space term f′(S) takes a value in therange of 0 to 1, the calculated length s of encryption keys becomessmaller than the length R_(secure). Hence, there is no decline in thestrength of the safety of the cryptographic communication. Meanwhile, inEquation (2), a value S₀ represents a predetermined value used indetermining the value of the available storage space term f′(S).

Herein, although the length s of encryption keys is calculated by alsotreating the available storage space S as a parameter, that is not theonly possible case. Alternatively, for example, other than the availablestorage space S, the key length calculator 271 a can calculate thelength s of encryption keys based on any of the parameters (i) to (iv)or based on the parameter (vi).

As described later, the controller 27 a sends, to the controller 17 avia the classical communication channel, a part of the PA information inthe form of information about the length s of encryption keys that iscalculated by the key length calculator 271 a. Moreover, the controller27 a sends, to the PA processor 22 a, a part of the PA information inthe form of information about the length s of encryption keys.

During the restraining operation regarding encryption keys, thecontroller 17 a receives information about the length s of encryptionkeys from the controller 27 a as part of the PA information and sendsthat information to the PA processor 12 a.

The PA processor 22 a receives, from the controller 27 a, the PAinformation in the form of the length s of encryption keys that iscalculated by the key length calculator 271 a (described later).Moreover, the PA processor 22 a generates random numbers for generatingthe hash function and sends, to the PA processor 12 a via the classicalcommunication channel, the information about the generated randomnumbers as the PA information.

The PA processor 12 a receives, from the controller 17 a, the PAinformation in the form of information about the length s of encryptionkeys that is calculated by the key length calculator 271 a; andreceives, from the PA processor 22 a via the classical communicationchannel, the PA information in the form of information about randomnumbers.

Step S19

Based on the received PA information, the PA processor 12 a performs akey compression process (a privacy amplification process) with respectto the corrected bit string with the aim of cancelling out the bits thatare likely to have been tapped by an eavesdropper during the operationsof the quantum key sharing unit 10 and the EC processor 11. Moreparticularly, as illustrated in FIG. 5, the PA processor 12 a generatesa hash function in the form of an n×s matrix from the length n of thecorrected bit string generated by the EC processor 11, the randomnumbers included in the PA information, and the length s of encryptionkeys. Then, the PA processor 12 a multiplies the hash function to thecorrected bit string, and generates an encryption key (a key bit string)having the length s. Subsequently, the PA processor 12 a sends thegenerated encryption key to the key management unit 14.

Step S20

Based on the PA information, the PA processor 22 a performs a keycompression process (a privacy amplification process) with respect tothe corrected bit string with the aim of cancelling out the bits thatare likely to have been tapped by an eavesdropper during the operationsof the quantum key sharing unit 20 and the EC processor 21. Moreparticularly, in an identical manner to the PA processor 12 a, the PAprocessor 22 a generates an encryption key (a key bit string); and sendsthe generated encryption key to the key management unit 24.

Steps S21 and S22

The processes are identical to the processes performed at Steps S21 andS22 according to the first embodiment.

In this way, based on the parameters related thereto, the QKDtransmitter 1 d and the QKD receiver 2 d determine the restrainingamount for the restraining operation. More particularly, for example, asa parameter related to the QKD transmitter 1 d and the QKD receiver 2 d;the length s of compressed encryption keys is calculated using Equation(2) given above and based on the detection pulse count Q, the error rateE, the EC efficiency f_(EC), and the available storage space S. Withthat, it becomes possible for the QKD transmitter 1 d and the QKDreceiver 2 d to generate encryption keys upon performing the restrainingoperation with a suitable restraining amount. Hence, while ensuringnormality in the cryptographic communication performed by theapplications using the encryption keys, it becomes possible to avoid asituation of placing burden on the amount of available space in thestorages 16 and 26 that are used in storing the encryption keys. Thus,it becomes possible to reduce the consumption of resources of the QKDtransmitter 1 d and the QKD receiver 2 d in the quantum key distributionsystem 100 b.

FIG. 9 is a hardware configuration diagram of a QKD device. Thus, theexplanation of a hardware configuration of the QKD device according tothe embodiments described above is given below with reference to FIG. 9.

The QKD device according to the embodiments includes a control devicesuch as the CPU 80, a read only memory (ROM) 81, a random access memory(RAM) 82, a first communication I/F 83 that performs communication via aquantum communication channel, a second communication I/F 84 thatperforms communication via a classical communication channel, anexternal storage device 85 that serves as the storage for storingencryption keys, and a bus 86 that connects the constituent elements toeach other.

The computer programs executed in the QKD device according to theembodiments are stored in advance in the ROM 81.

Alternatively, the computer programs executed in the QKD deviceaccording to the embodiments can be recorded as installable orexecutable files in a computer-readable storage medium such as a compactdisk read only memory (CD-ROM), a flexible disk (FD), a compact diskrecordable (CD-R), or a digital versatile disk (DVD); and can beprovided in the form of a computer program product.

Still alternatively, the computer programs executed in the QKD deviceaccording to the embodiments can be saved as downloadable files on acomputer connected to the Internet or can be made available fordistribution through a network such as the Internet.

The computer programs executed in the QKD device according to theembodiments can cause a computer to function as the constituent elementsof the QKD device (i.e., function as the quantum key sharing unit 10,the EC processor 11, the PA processor 12, the key management unit 14,the key provider 15, the controller 17, the quantum key sharing unit 20,the EC processor 21, the PA processor 22, the key management unit 24,the key provider 25, and the controller 27). In this computer, the CPU80 can read the computer programs from a computer-readable storagemedium, load them into a main storage device, and execute them.

While certain embodiments have been described, these embodiments havebeen presented by way of example only, and are not intended to limit thescope of the inventions. Indeed, the novel embodiments described hereinmay be embodied in a variety of other forms; furthermore, variousomissions, substitutions and changes in the form of the embodimentsdescribed herein may be made without departing from the spirit of theinventions. The accompanying claims and their equivalents are intendedto cover such forms or modifications as would fall within the scope andspirit of the inventions.

What is claimed is:
 1. A quantum key distribution device that isconnected to another quantum key distribution device via a quantumcommunication channel and that generates and shares an identicalencryption key with the another quantum key distribution device, thequantum key distribution device comprising: a quantum key sharing unitconfigured to generate a shared bit string by using quantum keydistribution performed with the another quantum key distribution devicevia the quantum communication channel; a correcting unit configured toreceive the shared bit string from the quantum key sharing unit andgenerate a corrected bit string through an error correction process withrespect to the shared bit string; a compressor configured to receive thecorrected bit string from the correcting unit and generate an encryptionkey through a key compression process with respect to the corrected bitstring; a controller configured to perform a restraining operation inwhich the total number of bits of one or more encryption keys generatedper unit time by the compressor is smaller than the total number of bitsof the one or more encryption keys generated per unit time by thecompressor in the case of not performing the restraining operation;wherein the controller is configured to adjust a restraining amount forthe restraining operation based on a parameter related to the quantumkey distribution device; the controller is configured to determine,based on a comparison between the parameter and a first threshold value,whether to perform the restraining operation; and the controller isconfigured to determine, based on a comparison between the parameter anda second threshold value, whether to stop the restraining operation. 2.The device according to claim 1, wherein the restraining operation to beperformed by the controller includes reducing frequency at which thequantum key sharing unit sends the shared bit string to the correctingunit to a lower level than the frequency in the case of not performingthe restraining operation, or deleting one, some, or all bits of theshared bit string.
 3. The device according to claim 2, wherein eitherone of the error correction process performed by the correcting unit orthe key compression process performed by the compressor is stopped whenthe controller deletes all of the shared bit strings.
 4. The deviceaccording to claim 1, wherein the restraining operation to be performedby the controller includes reducing frequency at which the correctingunit sends the corrected bit string to the compressor to a lower levelthan the frequency in the case of not performing the restrainingoperation, or deleting one, some, or all bits of the corrected bitstring.
 5. The device according to claim 4, wherein the compressorconfigured to stop to perform the key compression process, when thecontroller deletes all of the corrected bit strings.
 6. The deviceaccording to claim 1, wherein the restraining operation to be performedby the controller includes reducing frequency at which the compressorstores the encryption key in a storage to a lower level than thefrequency in the case of not performing the restraining operation, ordeleting one, some, or all bits of the encryption key.
 7. The deviceaccording to claim 1, wherein the restraining operation to be performedby the controller includes sharing, with the another quantum keydistribution device, a length of the encryption key calculated by eitherone of the quantum key distribution device and the another quantum keydistribution device based on a parameter related to the quantum keydistribution device and the another quantum key distribution device, andthe compressor is configured to generate the encryption key from thecorrected bit string so that the encryption key has the length shared bythe controller.
 8. The device according to claim 7, wherein, the lengthof the encryption key is calculated based on, as the parameter, an errorrate that represents percentage of bits estimated to be errors in theshared bit string, an error correction efficiency, and at least one of apriority for a combination of the quantum key distribution device andthe another quantum key distribution device, a priority for anapplication that receives the encryption key from the quantum keydistribution device, an execution count of the application, a usagefrequency of the encryption key, an available space in a storage, and astorage volume of the encryption key.
 9. The device according to claim1, wherein, the parameter is at least one of a priority for acombination of the quantum key distribution device and the anotherquantum key distribution device, a priority for an application thatreceives the encryption key from the quantum key distribution device, anexecution count of the application, a usage frequency of the encryptionkey, an available space in a storage, and a storage volume of theencryption key.
 10. A quantum key distribution system comprising aplurality of quantum key distribution devices, each corresponding to thequantum key distribution device according to claim 1, wherein theplurality of quantum key distribution devices are connected by thequantum communication channel and generate the identical encryption keythrough the restraining operation in a mutually corresponding manner.11. A quantum key distribution method implemented in a quantum keydistribution device that is connected to another quantum keydistribution device via a quantum communication channel and thatgenerates and shares an identical encryption key with the anotherquantum key distribution device, the method comprising: generating ashared bit string by using quantum key distribution performed with theanother quantum key distribution device via the quantum communicationchannel; generating a corrected bit string through an error correctionprocess with respect to the shared bit string; generating an encryptionkey through a key compression process with respect to the corrected bitstring; performing a restraining operation in which the total number ofbits of one or more encryption keys generated per unit time by thecompressor is smaller than the total number of bits of the one or moreencryption keys generated per unit time by the compressor in the case ofnot performing the restraining operation; adjusting a restraining amountfor the restraining operation based on a parameter related to thequantum key distribution device; determining, based on a comparisonbetween the parameter and a first threshold value, whether to performthe restraining operation, and determining, based on a comparisonbetween the parameter and a second threshold value, whether to stop therestraining operation.